You can't secure what you don't acknowledge.SM

Wednesday, February 17, 2010

What's your certification worth? Nothing.

According to Global Knowledge (you know, the training/certification folks), IT and security certifications are worth tens of thousands of dollars and, in some cases, over $100,000.

Man oh man if it were only that easy to jump in and make that kind of money - and be able to sustain it. I say that certifications such as CISSP, ITIL, or PMP are worth absolutely nothing unless you make it so. What you earn is up to you - your qualities and the value you bring to the table - not just a simple certification.

Here are some pieces I've written about what it takes to meet and exceed these certification "value" levels. It's easier than you think.
http://securityonwheels.blogspot.com/search/label/certifications
http://www.principlelogic.com/careers.html

If you're just getting started down this path or you want to learn more about getting ahead in IT and information security in 2010, then use the discount code 'CertWorth' for 50 percent off the following Security On Wheels audio programs through the end of February:

Sunday, February 14, 2010

Great tool for seeking out sensitive info on your network

One of the greatest risks in business today is the issue of unstructured information scattered about the network waiting to be misused and abused by rogue insiders and other outsiders that have gained "internal" access.

Reality has shown us that we absolutely cannot protect what we don't acknowledge. The best way to minimize this risk is to search your network far and wide for PII and other sensitive business information you can't afford to have exploited so you'll know which controls you need to put in place to keep it safe. I've done this with basic text search tools such as the one built right into Windows Explorer. Some enterprise solutions to this have come (and gone) in the name of data classification, storage management, and e-discovery tools.

But there's a tool I recently came across that's piqued my interest called Identity Finder shown in the screenshot below:


















Identity Finder has both a standalone and an enterprise version that will search inside many of the common file types and, as you can see in the figure above, seek out credit card numbers, passwords, SSNs, bank account numbers, and more. It's amazing what it will dig up on any given system...reason enough to make you at least want to encrypt your laptop hard drives.

I haven't been real pleased with the overall performance of the tool and the consulting license for the enterprise edition is well out of my price range given all the other costs associated with performing a reasonable internal vulnerability assessment. But overall Identity Finder is definitely worth checking out - especially if you're trying to make the case for unstructured information and identity theft risks or you're trying to take your information classification, compliance, and risk management initiatives to a new level.